system
2
confirmed here after reading the Google page:
When a website is secured via HTTPS, the web site designer must also ensure that all of the scripts used by the page will be delivered in the same secure manner as the main page itself. The same requirements also apply to the plugins and external CSS stylesheets used by the page, as these have the same considerations as javascript.
When this is not the case (sometimes called a “mixed script” situation), visitors to the site run the risk that attackers can interfere with the website and change the script so as to serve their own purposes.